PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described
in CVE-2012-1823. It has also come to our attention that some sites use
an insecure cgiwrapper script to run PHP. These scripts will use $*
instead of "$@" to pass parameters to php-cgi which causes a number of
issues. Again, people using mod_php or php-fpm are not affected.

One way to address these CGI issues is to reject the request if the query string
contains a '-' and no '='. It can be done using Apache's mod_rewrite like this:

There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected)
that has gone unnoticed for at least 8 years. Section
7 of the CGI spec states:

Some systems support a method for supplying a [sic] array of strings to the
CGI script. This is only used in the case of an `indexed' query. This
is identified by a "GET" or "HEAD" HTTP request with a URL search
string not containing any unencoded "=" characters.

So, requests that do not have a "=" in the query string are treated
differently from those who do in some CGI implementations. For PHP this
means that a request containing ?-s may dump the PHP source code for the
page, but a request that has ?-s&=1 is fine.

A large number of sites run PHP as either an Apache module through
mod_php or using php-fpm under nginx. Neither of these setups are
vulnerable to this. Straight shebang-style CGI also does not appear to
be vulnerable.

If you are using Apache mod_cgi to run PHP you may be vulnerable. To see
if you are, just add ?-s to the end of any of your URLs. If you see your
source code, you are vulnerable. If your site renders normally, you are not.

To fix this, update to PHP 5.3.12 or PHP 5.4.2.

We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to
upgrade these sites to a modern version of PHP. An alternative is to
configure your web server to not let these types of requests with query
strings starting with a "-" and not containing a "=" through. Adding a
rule like this should not break any sites. For Apache using mod_rewrite
it would look like this:

If you are writing your own rule, be sure to take the urlencoded ?%2ds
version into account.

Making a bad week worse, we had a bug in our bug system that toggled the
private flag of a bug report to public on a comment to the bug report
causing this issue to go public before we had time to test solutions to
the level we would like. Please report any issues via bugs.php.net.

DevConf is the ultimate meeting place for russian-speaking web-developers,
combining several language-specific conferences under one roof.

This year DevConf will include the following sections:

DevConf::PHP();

DevConf::Perl();

DevConf::RoR();

DevConf::Python();

DevConf::Javascript();

Each section will feature several talks from the active contributors/authors of the language.
Among the invited speakers are Derick Rethans (XDebug creator),
David Soria Parra (active PHP contributor), Andrey Aksyonov (author of Sphinx),
Alexander Makarov (one of the main contributors to Yii),
Sergey Petrunya (of MariaDB fame), Ilya Alekseev (OpenStack Nova contributor)
and many others, see more details on the official website.

The PHP development team announces the immediate availability of PHP 5.3.11 and PHP 5.4.1. These releases focuses on improving the stability of the current PHP branches with over 60 bug fixes, some of which are security related.

All users of PHP are strongly encouraged to upgrade to PHP 5.3.11 or PHP 5.4.1.

What is PHP?

PHP is a widely-used general-purpose scripting language that is especially suited for
Web development and can be embedded into HTML. If you are new to PHP and want to get
some idea of how it works, try the introductory tutorial. After that, check out the online manual,
and the example archive sites and some of the other resources available in the links section.